Hands-on with five antivirus apps for the Mac

Which antivirus software is the best for Mac users? It depends on your needs.

So Mac invulnerability to malware is a myth, at least according to security researchers from Kaspersky Lab. And although such a blunt statement may be a blow to the ego of some Mac users, it remains true. Security researchers from all walks have long argued that it was only a matter of time before the Mac became popular enough that virus, malware, and spyware makers would come calling, and the recent Flashback scare has only served as a reminder that overconfidence precedes carelessness. Especially when it comes to technology.

The Flashback flare-up happened less than a year after another malware spike, which came in the form of fake antivirus app Mac Defender. Though neither incident ended up infecting every single Mac, they both showed that malware on the Mac is ever-so-slowly inching its way into our public consciousness. "Market share brings attacker motivation," Kaspersky Lab told the press last month, and Mac market share is definitely on the rise.

Is it time to begin installing antivirus software on our Macs? We leave that up to you to decide for yourself, but given the spike in questions we've been receiving about which antivirus software is the best, we thought we'd take a look at a handful of the most well-known apps out there for Mac users. Your mileage may vary, but here are our impressions of five different antivirus packages after installing and using each one. In no particular order:

Kaspersky Anti-Virus for Mac

Kaspersky's antivirus software was easy to install and pretty robust. The main interface (pictured above) is simple enough to use: push the big green button to begin scanning your stuff. The green button doesn't always stay green though—when I began using the software, it started out orange with a note saying "Databases are obsolete":

I didn't find this to be particularly welcoming, and it might alarm a less experienced user upon first launching the program, as there are no instructions about what that means or how to fix it. (This was remedied by updating to the latest definitions from within the app.)

Aside from this, though, the software is relatively straightforward. Like most antivirus programs, you can change your security level depending on how strict you want the scans to be, tweak notification settings for when suspicious files are found, and can even change the skin of the software (thank goodness). You can also have the software scan for a particular type of malware, so if you only want to look for trojans instead of adware or auto-dialers, you can do so. And of course, users can create a whitelist of exclusions. Kaspersky's offering comes with an uninstaller on the disk image when you download it from the website, which is also easy to use if you should choose to get rid of it. Everything worked as expected when we used this one, though depending on your personal needs, you may not want to pay $39.95 per year for it.

Intego VirusBarrier X6

Intego's VirusBarrier definitely wins the award for "The Most Buttons." There's just a lot going on when you launch this software, and for the average user, it might be a bit overwhelming. You may notice in the screenshot above that it says my filters are 166 days old, but clicking on it just displays a new message saying I can't download new ones—this is confusing and perhaps somewhat alarming to someone trying to stay protected from malware, and left me dinging Intego for usability points.

Aside from this, Intego's software scans new files in real time and puts a traffic indicator in your menubar if you're the type who likes to monitor incoming and outgoing network traffic. VirusBarrier also has a "fraudulent website protection" option for cookies, and even offers a way to hide your browser info and last site visited from other sites trying to track your browsing behavior. Like Kaspersky's software, Intego's also comes with an easy-to-find uninstaller. Overall, we felt fine about Intego, though the sheer number of available options left us feeling a bit overwhelmed. For $49.95 per year, it could be worth your while if you're looking for a very complete solution that lets you lock down on everything but the kitchen sink, but if all you want is simplicity, you aren't likely to find it here.

F-Secure Antivirus for Mac

F-Secure wins the award for requiring the "Most Hoops For Users" to jump through in order to download the trial—not only do you have to enter a campaign code to obtain the trial in the first place, you then have to wait for e-mail confirmation (the first one, that is). Then you have to click a link to confirm, which then sends you a second e-mail confirmation that requires to you to click another link to download. Annoying, F-Secure. Just plain annoying.

Regardless, we found F-Secure's antivirus product to be very straightforward and fairly simplistic—but in a good way. This is no Intego—there aren't 94 buttons on the main screen for you to choose from. F-Secure's software allows you to do basic tasks like scan for viruses, block and unblock network traffic, and look at your virus/spyware history. It also turns on your OS X firewall by default (though you can turn it off again in your settings if you'd like) and… well, that's pretty much it.

After using Kaspersky's and Intego's solutions, F-Secure's seemed promising when it came to being straightforward and simple. The offering doesn't overwhelm the user and it's not hard to figure out how to use it. But I can't in good faith endorse F-Secure's offering given my experiences when installing and running it. I installed this software twice on two separate computers and had nonstop bad experiences—it completely debilitated my machine one time to the point where trying to open a Finder window was an hour-long task with nonstop beachballs. (One Mac Genius I spoke to even believed the SSD in my Mac had been corrupted because the performance was suddenly so poor.)

The second time wasn't much better; on a completely clean machine, installing F-Secure slowed things down noticeably and beachballs were frequent. Luckily, uninstalling the software appeared to restore my computers back to their actual, usable states. (The uninstaller can be found in Applications > F-Secure after you install it initially.) You may have different experiences with this one, but I plan to stay far away.

Sophos Antivirus for Mac Home Edition

Sophos' antivirus software was the most simple of all the packages we tried. It really just does one thing: scan for viruses and malware, and it automatically downloads new virus definitions. You can customize your scans and manage the files that have been set aside in quarantine, but if you want network traffic scanners or skinning capabilities, this is not the right place to look.

This software is completely free—there's no yearly fee or registration required—so there's not much to complain about when it comes to its functionality (or lack thereof, depending on what you're looking for). It's basically the polar opposite of Intego and Kaspersky's software, and is priced as such. If you're looking for the simplest antivirus software from a trusted company, this is probably it.

Avast! Free Antivirus for Mac

Avast was the only antivirus software we tested that didn't involve using a "real" installer (it just requires drag-and-drop installation). We would categorize Avast's antivirus software as more feature-rich than Sophos, but still less complex than the first two (Kaspersky and Intego)—it might be roughly on par with F-Secure when it comes to breadth of functionality.

Avast can scan your full system, local volumes, network volumes, just your home directory, or a custom mix of folders. (As usual, it also auto-downloads new virus definitions.) It automatically displays pop-ups whenever it decides to warn you about something (below) or when there are new virus definitions and important messages:

Luckily you can turn this off if you want—and I did, because I received the above message just about every time my mail client tried to retrieve e-mail—but it can be handy if you want to be alerted for unauthorized connections.

Aside from this, the software is very straightforward. Again, it's free, so there's not much room to complain if Avast's solution strikes you as a little light. Still, for "regular" users or people who simply don't need/want a ton of options, we liked Avast—it offers slightly more than Sophos for the same price, but we must note that even though it's free, you still have to register your version of Avast within 30 days of installation. Uninstallation can be done through the software itself (under the "avast!" menu) or by just deleting the app from your Applications folder, which should also remove the daemon and supporting scripts (check out this forum thread for more information). I really liked Avast when it came to simple-to-use bad-guy protection, and it's hard to beat free.

Conclusion

We're not arguing that Mac users have to install antivirus software if they want to avoid the zombie malware apocalypse. Infection numbers—even for Flashback—are still relatively low when compared against the global number of Mac users. However, we also don't think it's wise to pretend that OS X is completely immune to attacks. It's not—we know it, you (hopefully) know it, and security researchers know it. Even if you feel comfortable navigating the scary old Internet yourself, you may want to consider setting up your less-experienced friends and family members who just can't help themselves when it comes to playing Java games online or opening random e-mail attachments from China.

Keep in mind, though, that malware attacks are becoming more and more sophisticated. In the case of Flashback, the infection was spread via hijacked WordPress sites thanks to a vulnerability in the blog software. This means that trusted blogs visited by Mac users could have been used to spread the infection, reinforcing the disturbing truth that infections don't only happen by visiting shady websites or opening unidentified files. If you worry about the possibility that your own favorite sites could transmit something questionable to your machine through an unpatched vulnerability, adding an extra layer of protection between you and the Internet is worth considering.

We're sure there are other antivirus packages that you like, too. Let us know in the comments what your favorites are, or if you have additional tips to add for Mac users trying to stay safe.

Update: This article originally said Symantec didn't offer a trial for its Norton Antivirus software. That is inaccurate and we will update this article with our thoughts on Norton as soon as we can.

An interesting trend of malware these days is user-mode malware. Sure they can't hide as well as their kernel mode counterparts (and rootkits) but they seem to be able to do most of the stuff that people want.

Think about it - a user-mode malware can still hijack your browser sessions, read your email/contacts/documents/etc, and still make outgoing connections trivially (to send spam or upload data or whatever). They can't hide from the system (unless there's a root elevation exploit) but for the most part, they rely on the user not noticing until it's too late.

That's how stuff like flashback work - they hide because the user doesn't know, and they try to avoid detection. It happens on Windows as well - it's the only way to avoid triggering UAC popups. (It acts a lot like Chrome does).

Anyhow, all platforms need antivirus. If nothing more than to prevent themselves from being the carriers of malware - just because you can't run it, doesn't mean you can't be an inadvertent host to others.

I'm also wondering why ClamXav has been left out. ClamAV has been an actively supported and developed AV utility for many, many years for Linux/Unix -- I don't remember when the ported version for OS X came out but I've been putting it on OS X installs going back to at least 10.2.x, quite a long time before Sophos, Kaspersky, and the others came about to supporting AV for OS X systems.http://www.clamxav.com/

Lets see, I could pay $40+ per year for most of these products, take the performance hit of all the constant scanning they do whenever you download a file or plug in a USB stick, and help fund the fear tactics and obnoxious advertising that these companies do, all to get access to virus detection that happens a couple weeks earlier than the updates that Apple comes out with. Or I could just not download trojans from disreputable websites, do my software updates regularly, and monitor the news for info on the two or three pieces of Mac malware that surface each year. Tough choice.

Lets see, I could pay $40+ per year for most of these products, take the performance hit of all the constant scanning they do whenever you download a file or plug in a USB stick, and help fund the fear tactics and obnoxious advertising that these companies do, all to get access to virus detection that happens a couple weeks earlier than the updates that Apple comes out with. Or I could just not download trojans from disreputable websites, do my software updates regularly, and monitor the news for info on the two or three pieces of Mac malware that surface each year. Tough choice.

Or I could just not download trojans from disreputable websites, do my software updates regularly, and monitor the news for info on the two or three pieces of Mac malware that surface each year. Tough choice.

Don't think you have to do something to be attacked by malware. But yes, keeping up-to-date and watching the news is probably sufficient.

My biggest gripe with anti-malware tools is that they aren't going to protect against zero-day exploits, and if you're patched and up to date, you generally have no real need for anti-malware.

Anyone can fall to unanticipated threats. And anti-malware can't protect against those.

Is ars jumping the shark? I love the redesign but this article seems incredibly lightweight. Where's the actual testing of the effectiveness of the clients? All this tells us about is superficialities about installing using the different packages - not what matters, which is how effective and/or resource intensive they are - and the "hands off" advice approach 'we'll let you figure [whether you need antivirus or not] out for yourself'? Very un-ars. Verily, if thou dost know basic internet safety, thou dost not need an antivirus (yet) on the Mac for the vast majority of personal use cases.

Lets see, I could pay $40+ per year for most of these products, take the performance hit of all the constant scanning they do whenever you download a file or plug in a USB stick, and help fund the fear tactics and obnoxious advertising that these companies do, all to get access to virus detection that happens a couple weeks earlier than the updates that Apple comes out with. Or I could just not download trojans from disreputable websites, do my software updates regularly, and monitor the news for info on the two or three pieces of Mac malware that surface each year. Tough choice.

Hear! Hear! That's why I steer away from dodgy sites like Amnesty International. You know that place is just going to be a den of malware and iniquity!

More research should have been on this article and at least some statistics from Virus Bulletin and Virus Total.

Avira also offers a free Mac version and seems to be one of the highest (free) rated on Virus Bulletin.

Engines should be looked at based on Detection rates, what they can and can't detect and kill, false positive rates, what they can protect against, user population (as the greater the population the greater protection), how often do virus updates occur, do they just do virus definition blocks or do they have behavioral detection engines as well or multiple engines for detection (which is why symantec AV can be so big/slow).

Lots of things to consider when evaluating the effectiveness of such a solution.

Also Virus definition generally lag greatly behind wild malware. There is a delay of days, weeks or months before a definition is released and finally propagates to the masses. Which is why something like Blue Coat's K9 (and similar real time web protection software) is important to consider. They have free versions for PC and MAC. With 80 Million people feeding in real time - threats can be found and stopped. http://www1.k9webprotection.com/getk9/download-software

In short - defense in depth!

Once Apple unleashes their App Store Sandbox for OS X - that will help but there is no panacea for computer security unfortunately... so install as much as you can tolerate (AV, web, little snitch, etc...)! Good luck

An interesting trend of malware these days is user-mode malware. Sure they can't hide as well as their kernel mode counterparts (and rootkits) but they seem to be able to do most of the stuff that people want.

Think about it - a user-mode malware can still hijack your browser sessions, read your email/contacts/documents/etc, and still make outgoing connections trivially (to send spam or upload data or whatever). They can't hide from the system (unless there's a root elevation exploit) but for the most part, they rely on the user not noticing until it's too late.

That's how stuff like flashback work - they hide because the user doesn't know, and they try to avoid detection. It happens on Windows as well - it's the only way to avoid triggering UAC popups. (It acts a lot like Chrome does).

Anyhow, all platforms need antivirus. If nothing more than to prevent themselves from being the carriers of malware - just because you can't run it, doesn't mean you can't be an inadvertent host to others.

Yea, i have been pondering this for some time. There have been a lot of focus on root exploits over the decades, but these days just as much juicy stuff sits accessible for the user. Depending on the setup of the OS, said files may be readable by other user level accounts. Not sure how more recent Windows do it, but on XP i could access the documents folder of any user with just a lowly user account.

Too bad the effectiveness of these tools can't be evaluated, given the dearth of threats.

Not to mention...antivirus suites are really not the answer to malware on any platform. Heuristics usually don't work terribly well, and malware authors have automated tools that seed new, slightly different builds on a regular basis to dodge around the signature-based scans. I can't count how many times I've seen Windows XP boxes end up with malware despite having a suite installed. A tainted Flash embed starts a drive-by download that installs the malware, while McAfee or whatever flails its arms and warns you that something bad is happening...while being completely ineffective at stopping the malware.

The best prevention is common sense—as uncommon as that is—and removing malware when it does show up. (MalwareBytes and some other similar tools usually do the trick, Windows-side.) There's not much you can do about the silent automatic installs, but those are less common than the #1 cause of infections: trojans in questionable downloads.

Yes, how are we supposed to know if these apps are even capable of detecting malware? To do so would require some actual Mac viruses that run on the most recently updated Macs, and there are few if any of those to be found. So I guess the pro-antivirus crowd expects people to take it on faith that paying a bunch of money will help.

how are we supposed to know if these apps are even capable of detecting malware? To do so would require some actual Mac viruses that run on the most recently updated Macs, and there are few if any of those to be found.

I was looking for a review of the efficacy of modern Mac Anti Virus apps. I was hoping Ars would put one up. Instead I got the CNET version of a review. Can John Siracusa write an article on this subject for Ars? I don't come to Ars to read totally subjective of how pretty an app is.

All this discussion is prompted by the occurrence of the Flashback trojan. Did any of these products detect it? I doubt it. They protect against the last malware, which is not needed for an up-to-date Mac, and never for the next.

-mention ClamAV since it's been the go-to Mac virus scanner for as long as I can remember-test (I mean even if you have to stash a windows virus somewhere) - what's the point of reviewing software without checking that it can at least find a virus and (for on-demand scanners) alert you when a virus is copied to your drive-mention which of these are or aren't on-demand scanners (Sophos? Yes or no?), and which also scan inbound/outbound email (this was only hinted at with Avast)-what did F-Secure have to say about the problems you encountered?

Sorry for all the criticism, but it's a pretty weak piece lacking practical information.

how are we supposed to know if these apps are even capable of detecting malware? To do so would require some actual Mac viruses that run on the most recently updated Macs, and there are few if any of those to be found.

The site you linked to has 4 flashback posts from 2012 and everything else is from previous years. In total, all of it can be prevented by running the latest updates, so testing against those things provides no value. I want to know if any of these can detect malware before Apple deals with it. This is hard for Ars to test, unless you are aware of any current threats. If you aren't, and since these have minimal track record of detecting such pop up threats, then the value of Mac anti-virus is not established.

ESET has been my AV of choice on Windows for many years and my choice on my Mac for the last year or so. It's nabbed a couple of incoming attacks and doesn't gobble resources. It's especially easy to use for someone familiar with the Windows version.

Our school provided a free download of Symantec Endpoint Protection for OS X, and it wasn't nearly as bad as the Windows versions I've used. It was surprisingly user-friendly and I never caught it hogging resources. It's too bad you didn't get to try it out.

Serious question: is antivirus software actually relevant anymore? I haven't used one since Windows XP with no problems. Don't run as root, don't go to dodgy websites, don't click ads (or use adblock if you're that kind of person), have plugins require your consent to start (click to flash etc) and keep the obvious candidates (Java, Flash, your browser, your OS) up to date.

Antivirus software is reactive list of known signatures, it's only as good as its last update. Maybe I've missed them, but there are very few pieces of malware these days that don't require your explicit consent to be installed. The last exploit I was genuinely worried about was the JPEG vulnerability from how ever many years ago.

Then again, I'm also a person who doesn't have contents insurance (I live in a secure apartment building, it would be a pita to burgle me, I can afford to replace the small number of things I own and so can operate as my own insurer), so maybe I'm just biased.

My biggest gripe with anti-malware tools is that they aren't going to protect against zero-day exploits, and if you're patched and up to date, you generally have no real need for anti-malware.

Being patched is well and dandy but one of the benefits of anti-malware is that it can prevent zero-day variants of known exploits. Most anti-malware detection is string-based and just because you are patched and upgrade for variant A of a certain malcode does not mean that you are safe from variant B. At least having anti-malware software gives you a fighting chance to detect the newer version of a threat.